Unlock92
Unlock92 is a ransomware that runs on Microsoft Windows. It was believed that it was a variant of Kozy.Jozy. Payload Transmission Unlock92 is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers. Infection It begins with the start of the data collection module which will automatically start to collect data from the infected computers. It can either be used to construct the unique victim ID or to expose the identity of the victim users owning the machines. The information that is to be used by the virus is mainly composed of details about the installed hardware components, operating system values and user settings. On the other hand data that can directly reveal details about the owners is made up of their name, phone number, address, location and any found account credentials. As the virus can access the whole operating system this includes also all user-installed applications. Web browsers for example can be harvested for any stored credentials. Following this the harvested data can be used by the stealth protection module. It is used to detect, bypass or entirely security services and systems. This includes anti-virus programs, sandbox/debug environments and virtual machine hosts. When this step is complete, Unlock92 will have the ability to control the infected systems — this includes the possibility of starting up several processes, to hook up to others and manipulate the task manager. At this point of the infection process the malicious engine will be able to modify the Windows Registry by creating entries belonging to itself or modifying existing ones. When registry values to the operating system are modified this can lead to severe performance issues and malfunctions. Modified strings belonging to any third-party software can cause them to behave in a non-intended way. It will then reprogram the infected system so that the virus code will be launched every time the computer is powered on. This action may also prevent access to the recovery boot menu which is used in several manual recovery instructions. To make recovery more difficult, Unlock92 may delete sensitive user data like System Restore Points and Shadow Volume Copies. If a network connection is established to a hacker server then it is usually done so in order to report the infection. Then it will encrypt the user's data using AES/RSA encryption. It will append the .LOCKED extension to files. The accompaying ransomware note is also created using a similar formula: “.@LOCKED”, their contents reads the following: Ваши файлы зашифрованы. Если хотите их вернуть отправьте один из зашифрованных файлов на e-mail: unk921@protonmail.com Если вы не получили ответа в течение суток то скачайте с сайта www.torproject.com браузер TOR и с его помощью зайдите на сайт: http://n3r2kuzhw2hx6j5.onion (https://n3r2kuzhw2h7x6j5.tor2web.io/ – с любого другого браузера без использования TOR) – там будет указан действующий почтовый ящик. Попытки самостоятельного восстановления файлов могут безвозвратно их испортить! This translates to: Your files have been encrypted. If you want to restore files, send one more file us to the e-mail: unk921@protonmail.com Only in case you do not receive a response from the first email address withit 24 hours, please use use TOR browser from www.torproject.com and see current e-mail in http://n3r2kuzhw2hx6j5.onion (https://n3r2kuzhw2h7x6j5.tor2web.io/ – from any other browser w/o using a TOR) Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk. Category:Assembly Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan Category:Virus Category:Win32 virus